---
layout: default
title: Rust Security Policy &middot; The Rust Programming Language
---

<h1>Rust Security Policy</h1>

<h2>Reporting a Bug</h2>

<p>Safety is one of the core principles of Rust, and to that end, we would
like to ensure that Rust has a secure implementation. Thank you for taking the
time to responsibly disclose any issues you find.</p>

<p>All security bugs in the Rust distribution should be reported by email to
<a href="mailto:security@rust-lang.org">security@rust-lang.org</a>. This list
is delivered to a small security team. Your email will be acknowledged within 24
hours, and you'll receive a more detailed response to your email within 48
hours indicating the next steps in handling your report. If you would like, you
can encrypt your report using <a href="../rust-security-team-key.gpg.ascii">our public key</a>.
This key is also <a
href="https://pgp.mit.edu/pks/lookup?op=vindex&amp;search=0xEFB9860AE7520DAC">On
MIT's keyserver</a> and <a href="#key">reproduced below</a>.

<p>This email address receives a large amount of spam, so be sure to use a
descriptive subject line to avoid having your report be missed. After the
initial reply to your report, the security team will endeavor to keep you
informed of the progress being made towards a fix and full announcement. As
recommended by <a href="https://en.wikipedia.org/wiki/RFPolicy">RFPolicy</a>,
these updates will be sent at least every five days. In reality, this is more
likely to be every 24-48 hours.</p>

<p>If you have not received a reply to your email within 48 hours, or have not
heard from the security team for the past five days, there are a few steps you
can take:</p>

<ul>
    <li>Contact the current security coordinator (<a href="mailto:steve@steveklabnik.com">Steve Klabnik</a>
        (<a href="https://pgp.mit.edu/pks/lookup?op=vindex&amp;search=0xDAE717EFE9424541">public key</a>)) directly.</li>
    <li>Contact the back-up contact (<a href="mailto:andersrb@gmail.com">Brian Anderson</a>
        (<a href="https://pgp.mit.edu/pks/lookup?op=vindex&amp;search=0x16457A6368CFF26F">public key</a>)) directly.</li>
    <li>Post on the <a href="https://internals.rust-lang.org/">internals forums</a>
    or ask in the #rust-internals IRC room on irc.mozilla.org.</li>
</ul>

<p>Please note that the discussion forums and #rust-internals IRC channel are
public areas. When escalating in these venues, please do not discuss your
issue. Simply say that you're trying to get a hold of someone from the security
team.</p>

<h2>Disclosure Policy</h2>

<p>The Rust project has a 5 step disclosure process.</p>

<ol>
<li>The security report is received and is assigned a primary handler. This
person will coordinate the fix and release process.</li>

<li>The problem is confirmed and a list of all affected versions is determined.</li>

<li>Code is audited to find any potential similar problems.</li>

<li>Fixes are prepared for all releases which are still under maintenance.
These fixes are not committed to the public repository but rather held locally
pending the announcement.</li>

<li>On the embargo date, the <a href="https://groups.google.com/forum/#!forum/rustlang-security-announcements">
Rust security mailing list</a> is sent a copy of the announcement. The changes
are pushed to the public repository and new builds are deployed to
rust-lang.org.  Within 6 hours of the mailing list being notified, a copy of
the advisory will be published on the Rust blog.</li> </ol>

<p>This process can take some time, especially when coordination is required
with maintainers of other projects. Every effort will be made to handle the bug
in as timely a manner as possible, however it's important that we follow the
release process above to ensure that the disclosure is handled in a consistent
manner.</p>

<h2>Receiving Security Updates</h2>

<p>The best way to receive all the security announcements is to subscribe to
the <a
href="https://groups.google.com/forum/#!forum/rustlang-security-announcements">Rust
security announcements mailing list</a>. The mailing list is very low traffic,
and it receives the public notifications the moment the embargo is lifted.</p>

<h3>Advance notification</h3>

<p>We will announce vulnerabilities 72 hours before the embargo is lifted to
<a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">distros@openwall</a>,
so that Linux distributions can update their packages.</p>

<h2>Comments on This Policy</h2>

<p>If you have any suggestions to improve this policy, please send an email to
<a href="mailto:security@rust-lang.org">security@rust-lang.org</a>.</p>

<h2 id="key">Plaintext PGP Key</h2>

<pre><code>{% include rust-security-team-key.gpg.ascii %}</code></pre>
